security: token redaction regex should cover OpenAI API keys

[nathanschram]

Description

The structlog token redaction processor covers Telegram bot token patterns but does not redact OpenAI API keys (sk-...). Since Untether uses OpenAI for voice transcription and engine subprocesses may have OpenAI keys in their environment, these could appear in logs.

Affected files

• structlog redaction processor (logging configuration)

Impact

OpenAI API keys could appear unredacted in logs.

Recommended fix

Extend the redaction regex to cover OpenAI keys:

_REDACT_PATTERNS = [
    existing_patterns,
    re.compile(r"sk-[A-Za-z0-9_-]{20,}"),  # OpenAI API keys
    re.compile(r"sk-proj-[A-Za-z0-9_-]{20,}"),  # OpenAI project keys
]

Also consider adding patterns for other common API key formats that engines might expose.

Severity

LOW — requires OpenAI keys to appear in log output.